From owner-freebsd-pf@FreeBSD.ORG  Sat Mar 10 21:43:28 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F36E8106566B
	for <freebsd-pf@freebsd.org>; Sat, 10 Mar 2012 21:43:27 +0000 (UTC)
	(envelope-from dougs@dawnsign.com)
Received: from mailfilter.dawnsign.com (hydra.dawnsign.com [69.198.101.212])
	by mx1.freebsd.org (Postfix) with ESMTP id C14AF8FC0A
	for <freebsd-pf@freebsd.org>; Sat, 10 Mar 2012 21:43:27 +0000 (UTC)
Received: from mailfilter.dawnsign.com (localhost [127.0.0.1])
	by mailfilter.dawnsign.com (Postfix) with ESMTP id ED0929583A;
	Sat, 10 Mar 2012 13:34:24 -0800 (PST)
Received: from Draco.dawnsign.com (draco.dawnsign.com [192.168.101.33])
	by mailfilter.dawnsign.com (Postfix) with ESMTP id 9D40195826;
	Sat, 10 Mar 2012 13:34:24 -0800 (PST)
Received: from DRACO.dawnsign.com ([fe80::6062:7fef:2376:a729]) by
	Draco.dawnsign.com ([fe80::6062:7fef:2376:a729%10]) with mapi id
	14.01.0355.002; Sat, 10 Mar 2012 13:34:14 -0800
From: Doug Sampson <dougs@dawnsign.com>
To: 'Damien Fleuriot' <ml@my.gd>, "freebsd-pf@freebsd.org"
	<freebsd-pf@freebsd.org>
Thread-Topic: Differences in PF between FBSD 8.2 & 9.0?
Thread-Index: AczrwaDiR0Lf3/s3RAyJ81meINaqDQTQd3lw
Date: Sat, 10 Mar 2012 21:34:13 +0000
Message-ID: <E6B2517F8D6DBF4CABB8F38ACA367E780708CB@Draco.dawnsign.com>
References: <D358EEF1F9124D44B25B0ED225C8FDE6356CF7@hydra.dawnsign.com>
	<4F3B76DB.1040301@my.gd>
In-Reply-To: <4F3B76DB.1040301@my.gd>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [192.168.101.149]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: 
Subject: RE: Differences in PF between FBSD 8.2 & 9.0?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Mar 2012 21:43:28 -0000

> On 2/15/12 2:22 AM, Doug Sampson wrote:
> > I got bitten by PF when upgrading from 8.2 to 9.0. It refused to allow
> > any incoming mail. I'm using spamd in conjunction with pf. I use a
> > combination of natting along with redirections in conjunction with the
> > normal pass/block rules.
> >
>=20
> Toggle logging on both your default drop rule and your allow mail ones.
>=20
> Then tcpdump -nei pflog0 ip and port 465 (or 25, whichever)
> See what rule number matches your packets, then find out what rule that
> is with pfctl -vvvsr
>=20
>=20

I'm now getting back to this issue after being diverted to other projects. =
Spam has been noticed by our staff and they're not happy. :)

Here's what the tcp dump show:

mailfilter-root@~# tcpdump -nei pflog0 port 8025
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 655=
35 bytes
13:12:14.948935 rule 0..16777216/0(match): block in on fxp0: 75.180.132.120=
.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win 5840, options [mss =
1460,nop,nop,TS val 1845169225 ecr 0,nop,wscale 0,nop,nop,sackOK], length 0
13:12:18.324854 rule 0..16777216/0(match): block in on fxp0: 75.180.132.120=
.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win 5840, options [mss =
1460,nop,nop,TS val 1845169563 ecr 0,nop,wscale 0,nop,nop,sackOK], length 0
...


The pflog0 shows that all incoming packets are blocked by rule #0 which is:

@0 scrub in all fragment reassemble
@0 block drop in log all


And

mailfilter-root@~# spamdb | g GREY
mailfilter-root@~#

No greytrapping is occurring. Is the 'scrub' rule screwing up our packets? =
Our pf.conf worked fine in version 8.2 prior to the upgrade to 9.0.

Also why am I being warned that there isn't an IPv4 address assigned to pfl=
og0?

Pertinent pf.conf section related to spamd:

# spamd-setup puts addresses to be redirected into table <spamd>.
table <spamd> persist
table <spamd-white> persist
table <spamd-mywhite> persist file "/usr/local/etc/spamd/spamd-mywhite"
table <spamd-spf> persist file "/usr/local/etc/spamd/spamd-spf.txt"
#no rdr on { lo0, lo1 } from any to any
# redirect to spamd
rdr inet proto tcp from <spamd-mywhite> to $external_addr port smtp -> 127.=
0.0.1 port smtp
rdr inet proto tcp from <spamd-spf> to $external_addr port smtp -> 127.0.0.=
1 port smtp
rdr inet proto tcp from <spamd-white> to $external_addr port smtp -> 127.0.=
0.1 port smtp
rdr inet proto tcp from <spamd> to $external_addr port smtp -> 127.0.0.1 po=
rt spamd
rdr inet proto tcp from !<spamd-mywhite> to $external_addr port smtp -> 127=
.0.0.1 port spamd

# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
block in log all

# allow inbound/outbound mail! also to log to pflog
pass in log inet proto tcp from any to $external_addr port smtp flags S/SA =
synproxy state
pass out log inet proto tcp from $external_addr to any port smtp flags S/SA=
 synproxy state
pass in log inet proto tcp from $internal_net to $int_if port smtp flags S/=
SA synproxy state
pass in log inet proto tcp from $dmz_net to $int_if port smtp flags S/SA sy=
nproxy state


~Doug